CVE-2025-31326

08.07.2025, 01:15

SAPBusinessObjects BusinessIntelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application behavior, such as redirecting users to attacker-controlled domains. This issue primarily affects the integrity of the system. However, the confidentiality and availability of the system remain unaffected.

Basic XSS

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.1 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
sap	CNA	4.1 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Common Weakness Enumeration

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Vulnerability Media Exposure

[GERMAN] SAP Patchday Juli 2025: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um erhöhte Berechtigungen zu erlangen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen oder andere nicht spezifizierte Auswirkungen zu verursachen.
Published: 2025-07-07T22:00:00+00:00

References

https://me.sap.com/notes/3573199

https://url.sap/sapsecuritypatchday